VALMONT INDUSTRIES INC 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

VALMONT INDUSTRIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:50:58 EST.

Filings

10-K filed on 2025-02-25

VALMONT INDUSTRIES INC filed a 10-K at 2025-02-25 16:50:58 EST
Accession Number: 0000102729-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C of this report. While these measures are designed to prevent, detect, respond to, and mitigate unauthorized activity, there is no guarantee they will be sufficient to prevent or mitigate the risks of a cyberattack-whether directly targeting our systems or through third-party service providers-or to enable us to detect, report, or respond in a timely and effective manner. Successful cyberattacks or other security incidents could result in the loss of key innovations, such as artificial intelligence or Internet of Things technologies; loss of access to critical data or systems through ransomware, crypto mining, or destructive attacks; and business delays or service disruptions. These incidents could lead to legal risks, fines, penalties, negative publicity, theft, modification or destruction of proprietary information, defective products, production downtimes, and operational disruptions. All of these could harm our reputation and competitiveness, and materially affect our business strategy, results of operations, or financial condition. Regulatory and business developments regarding climate change could adversely impact our operations and demand for our products. Regulatory and business developments related to climate change could adversely affect our operations and the demand for our products. We closely monitor scientific discussions and legislative developments regarding climate change, including proposed regulations, to assess their potential impact on our business. Ongoing debates about the presence and scope of climate change, along with increasing legislative and regulatory attention, are expected to continue. Our production processes and the market for our products are influenced by such laws and regulations. Compliance with these measures may result in higher costs for raw materials and transportation. Non-compliance could damage our reputation and further expose our operations and customers to significant risks. Climate change also presents physical risks, such as the increased frequency of severe weather events and rising sea levels, which could disrupt operations at our manufacturing facilities. These events may cause unforeseen disruptions of systems, equipment, or overall operations. Additionally, we are facing rising insurance premiums and costs, including for property, casualty, and business interruption insurance. This trend is partly driven by the growing frequency and severity of extreme weather events such as hurricanes, floods, wildfires, and other natural disasters. Insurers have responded by tightening underwriting standards, reducing coverage limits, and increasing premium rates, particularly for businesses with geographically diverse and asset-intensive operations like ours. Any reduction in insurance coverage limits or the introduction of policy exclusions increases our financial exposure to losses associated with casualty events, including extreme weather occurrences. We may encounter challenges in quickly adjusting our manufacturing capacity to respond to sudden shifts in demand for Infrastructure products. Producing large engineered structures for Infrastructure customers requires significant machinery and often necessitates operating our facilities at or near full capacity to achieve optimal utilization. As a result, if demand for specific structure types in the Utility market changes unexpectedly, our ability to adjust manufacturing capacity in the near term may be limited. Establishing new manufacturing capacity or expanding existing capacity involves significant vendor lead times, capital investments, and customer approvals, all of which further delay our ability to respond to unexpected increases in demand. These limitations could lead to delays in order fulfillment, customer dissatisfaction, potential business loss, inventory imbalances, increased labor and material costs, reduced productivity, lower profit margins, reputational harm, and a weakened market position. If we are unable to effectively address these challenges, it could have a material adverse impact on our business, financial condition, and operating results. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Risk Management and Strategy Our information security program covers a wide range of cybersecurity activities, with the primary objective of maintaining the confidentiality, integrity, and availability of information for both our business and customers. The program and our systems are designed to identify and mitigate information security risks and data privacy breaches. Our risk mitigation processes include a cybersecurity incident response plan, which is regularly exercised through tabletop exercises, security awareness training with attack simulations to reinforce the training, cybersecurity risk assessments integrated with technology acquisition processes , and the utilization of third-party partnerships for threat intelligence, incident response and escalation, and attack surface monitoring. We measure our security performance using the International Organization for Standardization 27001 Framework and Enterprise Risk Management strategies. We implement policies and practices to mitigate risks to organizational data and operational processes. Our Global Data Privacy Program continues to align with environmental, social, and corporate governance standards, taking into account both the risks and benefits of privacy-driven spending. The program’s operating model is based on the General Data Protection Regulation, adjusted to meet specific local requirements. This scalable model manages strategic, operational, legal, compliance, and financial risks and benefits, and utilizes technology to automate portions of the program, such as data subject access requests and consent and preference management. Our membership in the Data Privacy Board, a group comprised of some of the world’s largest companies with the mission of engaging in confidential, leader-level discussions, offers opportunities for unbiased benchmarking and support from peers across various industries. We continue to build privacy resilience across international operating environments. We collaborate with third-party vendors to enhance our processes against unauthorized access to our network, computers, programs, and data. Risk is inherent in risk management and cybersecurity strategy. See “Our operations could be adversely affected if our information technology systems and networks are compromised or targeted by cyberattacks” under Risk Factors in Part I, Item 1A of this report, which we incorporate here by reference. Governance The Board of Directors has oversight responsibility for cyber risks affecting the Company. The Board has delegated risk oversight of operational, compliance, and financial matters, including cybersecurity and information technology risk, to the Audit Committee . Our Director of Security has extensive experience implementing and managing cybersecurity policies, including overseeing investments in tools, resources, and processes that enables the continued maturity of our cybersecurity program. Team members supporting our information security program possess relevant educational backgrounds and industry experience. Our CEO, Chief Financial Officer, and Audit Committee receive regular reports from our Director of Security on the Company’s risk and compliance with cybersecurity matters, including data privacy, incidents, industry trends, and the prevention, detection, mitigation, and remediation of cyber incidents.
ITEM 1C. CYBERSECURITY Risk Management and Strategy Our information security program covers a wide range of cybersecurity activities, with the primary objective of maintaining the confidentiality, integrity, and availability of information for both our business and customers. The program and our systems are designed to identify and mitigate information security risks and data privacy breaches. Our risk mitigation processes include a cybersecurity incident response plan, which is regularly exercised through tabletop exercises, security awareness training with attack simulations to reinforce the training, cybersecurity risk assessments integrated with technology acquisition processes , and the utilization of third-party partnerships for threat intelligence, incident response and escalation, and attack surface monitoring. We measure our security performance using the International Organization for Standardization 27001 Framework and Enterprise Risk Management strategies. We implement policies and practices to mitigate risks to organizational data and operational processes. Our Global Data Privacy Program continues to align with environmental, social, and corporate governance standards, taking into account both the risks and benefits of privacy-driven spending. The program’s operating model is based on the General Data Protection Regulation, adjusted to meet specific local requirements. This scalable model manages strategic, operational, legal, compliance, and financial risks and benefits, and utilizes technology to automate portions of the program, such as data subject access requests and consent and preference management. Our membership in the Data Privacy Board, a group comprised of some of the world’s largest companies with the mission of engaging in confidential, leader-level discussions, offers opportunities for unbiased benchmarking and support from peers across various industries. We continue to build privacy resilience across international operating environments. We collaborate with third-party vendors to enhance our processes against unauthorized access to our network, computers, programs, and data. Risk is inherent in risk management and cybersecurity strategy. See “Our operations could be adversely affected if our information technology systems and networks are compromised or targeted by cyberattacks” under Risk Factors in Part I, Item 1A of this report, which we incorporate here by reference. Governance The Board of Directors has oversight responsibility for cyber risks affecting the Company. The Board has delegated risk oversight of operational, compliance, and financial matters, including cybersecurity and information technology risk, to the Audit Committee . Our Director of Security has extensive experience implementing and managing cybersecurity policies, including overseeing investments in tools, resources, and processes that enables the continued maturity of our cybersecurity program. Team members supporting our information security program possess relevant educational backgrounds and industry experience. Our CEO, Chief Financial Officer, and Audit Committee receive regular reports from our Director of Security on the Company’s risk and compliance with cybersecurity matters, including data privacy, incidents, industry trends, and the prevention, detection, mitigation, and remediation of cyber incidents.

Company Information